killchain-compendium/Forensics/NTFS.md

49 lines
1.0 KiB
Markdown

# NTFS
* Has the following advantages over FAT
* Journaling
* ACL
* Volume Shadow Copy
* Alternate Data Stream
## Master File Table
* VBR references to `$MFT`
* `$LOGFILE` stores transactions of the file system
* `$UsnJrnl` changed files, and reason for change
## Caching
* File information is cached for frequent use in
```sh
C:\Windows\Prefetch\*.pf
```
* An SQLite database can be found under
```sh
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
```
## Jumplist
* Stores recently used files of applications inside the taskbar
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
```
## Shortcut Files
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
```
## Internet Explorer History
```sh
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
```
## Removeable Device Setup Log
```sh
C:\Windows\inf\setupapi.dev.log
```